Chapter 17 Network Traffic Monitoring PDF

Summary

This document explains network traffic signatures, including normal and suspicious patterns. It also covers the concept of baselining normal traffic and details attack signature analysis techniques in a network security context.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Module Flow Understand the Need and Advanta...

Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Module Flow Understand the Need and Advantages of Network Traffic Monitoring Determine Baseline Traffic Signatures for Normal and Suspicious Network Traffic Perform Network Monitoring for Suspicious Traffic Determine Baseline Traffic Signatures for Normal and Suspicious Network Traffic The objective of this section is to explain the various types of network traffic signatures and the concept of baselining normal traffic signatures. It describes the categories of suspicious network traffic signatures and attack signature analysis techniques. Module 17 Page 2031 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Network Traffic Signatures & O Asignature is a set of traffic characteristics such as a source/destination IP address, ports, @ Transmission Control Protocol (TCP) flags, packet length, time to live (TTL), and protocols O Signatures are used to define the type of activity on a network R Types of Signatures Normal Traffic Signature J ” Attack Signatures » Acceptable traffic patterns » Suspicious traffic patterns not allowed to enter the network allowed to enter the network All Rights Reserved. Reproduction Is Strictly Prohibited Network Traffic Signatures A signature is a set of characters that define network activity, including IP addresses, Transmission Control Protocol (TCP) flags, and port numbers. It includes a set of rules used to detect malicious traffic entering a network. Signatures are used to perform the following: = Raise alerts in the case of unusual traffic on the network. = |dentify suspicious header characteristics in a packet. = Configure an intrusion detection system to identify attacks or probes. = Acquire knowledge on a specific attack that occurred or a vulnerability that can be exploited. = Match patterns in a packet analysis. Type of Signatures Signatures are classified into two main categories depending on their behavior, as described below. = Normal traffic signatures: These include the normal network traffic in the network and are defined based on a normal traffic baseline for the organization. These signatures do not contain any malicious patterns and can be allowed to enter the network. = Attack Signatures: Traffic patterns that appear suspicious are generally treated as attack signatures. These signatures should not be allowed to enter the network. If allowed, they often cause a network security breach. These signatures deviate from the normal signature behavior and should be analyzed. Module 17 Page 2032 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Baselining Normal Traffic Signatures O A network baseline is the accepted behavior for normal network traffic. It is a benchmark to differentiate between normal and suspicious traffic O Network traffic baselines differ between organizations and change over time according to the operating environment and prevailing threat scenario Some considerations to create a baseline for normal traffic: = TCP/IP communication involves a three-way handshake for normal traffic = ASYN flag appears at the beginning and a FIN flag at the end of a connection = All conversations originating inside the demilitarized zone (DMZ) are trusted traffic items = Any traffic violating the network policies is malicious traffic; e.g., the existence of File Transfer Protocol (FTP) traffic when this type is restricted indicates a potential issue Baselining Normal Traffic Signatures A network traffic baseline helps understand the behavioral patterns of a network. It is a benchmark to differentiate between normal and suspicious traffic. Baselining allows a set of metrics to monitor network performance. These metrics define the normal working condition of an enterprise’s network traffic. The network traffic is compared with metrics to detect any changes in the traffic that could indicate a security issue in the network. A network traffic baseline establishes the accepted packets that are safe for the organization. Baselining the traffic facilitates the detection of suspicious activities on the network. Any deviation from the normal traffic baseline can be considered a suspicious traffic signature. The security professional should define a network baseline for their organization and validate the traffic against it. Baselining is more effective if it works in parallel with the organization’s policy. With the help of normal traffic baselining, security professional can judge the requirements to secure the network. Network traffic baselines differ between organizations and change over time according to the operating environment and prevailing threat scenario. Although, there is no industry standard to measure network traffic performance baselines, there are network monitoring tools that provide estimates of what type of traffic is normal. A network traffic baseline should be defined for all incoming, and outgoing Internet traffic and wide area network (WAN) links. The network traffic baseline should also contain the traffic for critical business data and backup systems. = According to a network traffic baseline, normal traffic signatures for TCP packets should have the following characteristics: o To establish a three-way handshake, TCP uses SYN, SYN ACK, and ACK bits in every session. Module 17 Page 2033 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring o The ACK bit should be set in every packet, except for the initial packet, in which the SYN bit is set. o FIN ACK and ACK are used in terminating a connection. PSH FIN and ACK may also be used initially in the same process. o RST and RST ACK are used to quickly end an on-going connection. o During a conversation (after a handshake and before termination), packets only contain an ACK bit by default. Occasionally, they may also have a PSH or URG bit set. = A suspicious TCP packet has one or more of the following characteristics: o If both SYN and FIN bits are set, the TCP packet is illegal. o SYN FIN PSH, SYN FIN RST, and SIN FIN PSH RST are all variants of SIN FIN. An attacker sets these additional bits to avoid detection. o A packet having only a FIN flag is illegal as FIN can be used in network mapping, port scanning, and other stealth activities. o Some packets have all six flags unset; these are known as NULL flags and are illegal. o The source or destination port is zero. o Ifthe ACK flag is set, then the acknowledgement number should not be zero. o If a packet has only the SYN bit, which is set at the beginning to establish a connection, and any other data are present, then it is an illegal packet. o If the destination address is a broadcast address (ending with 0 or 255), it is an illegal packet. o Every TCP packet has two bits reserved for future use. If either or both are set, then the packet is illegal. = All conversations originating inside the demilitarized zone (DMZ) are trusted traffic items. = Any traffic violating the network policies is malicious traffic, e.g., the existence of File Transfer Protocol (FTP) traffic when this type is restricted indicates a potential issue. = Any Dynamic Host Configuration Protocol (DHCP) traffic from unknown DHCP servers indicates a rogue DHCP server. = Mail traffic originating in the network but not sent to a mail server is suspect. = Any DNS traffic not sent to the DNS server is suspect. = Any outgoing traffic with internal addresses not matching the organization’s address space may be malicious. Module 17 Page 2034 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Categories of Suspicious Traffic Signatures Informational Reconnaissance Traffic containing certain signatures Traffic containing certain signatures that may appear suspicious but that indicate an attempt to gain might not be malicious information Unauthorized Access E Denial of Service Traffic containing certain signatures Traffic containing certain signatures that indicate an attempt to gain that indicate a DoS attempt that unauthorized access floods a server with a large number of requests Categories of Suspicious Traffic Signatures Network traffic deviating from normal behavior is categorized as a suspicious traffic signature. It is classified into four categories as follows. Informational: The informational traffic signature detects normal network activity. Although it may not appear suspicious, the data gathered through the informational signature can be used for suspicious activities. For example, informational traffic signatures may include the following: o Internet Control Message Protocol (ICMP) echo requests o TCP connection requests o User Datagram Protocol (UDP) connections Reconnaissance: Reconnaissance traffic consists of signatures that indicate an attempt to scan the network for possible weaknesses. Reconnaissance is an unauthorized discovery of vulnerabilities, which maps of systems and services. Reconnaissance is also known as information gathering, and it precedes a network attack in most cases. For example, reconnaissance traffic signatures may include the following: o Ping sweep attempts o Port scan attempts o Domain Name System (DNS) query attempts Unauthorized access: Traffic may contain signs of someone attempting to gain unauthorized access, unauthorized data retrieval, system access or privilege escalation, etc. An attacker who does not have privileges to access an organization's network Module 17 Page 2035 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring usually generates this type of traffic with the intention of capturing sensitive data. For example, unauthorized access traffic signatures may include the following: o Password cracking attempts o Sniffing attempts o Brute-force attempts = Denial of service (DoS): This type of traffic may contain a large number of requests from a single source or multiple sources, which are sent as an attempt to perform a DoS attack. This type of attack is performed to disrupt the service of the target organization. For example, DoS traffic signatures may include the following: o Ping of death attempts o SYN flood attempts Module 17 Page 2036 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Attack Signature Analysis Techniques Content-based signature analysis Context-based signature analysis O Attack signatures are contained in packet payloads O Attack signatures are contained in packet headers QO [ @9 HEADER | PpAYLOAD | [ HEADER | @@& PAYLOAD| O Inspect packets for unusual/suspicious header O Check for specific strings occurring in the suspicious information such as the following: payload. r Source and destination IP addresses IP options, protocols, and checksums Source and destination port numbers ‘f IP fragmentation flags, offset, or identification ‘f Atomic-signature-based analysis Composite-signature-based analysis QO Single-packet analysis is sufficient to detect attack Q Multiple-packet analysis is required to detect attack signatures signatures | HEADER | PAYLOAD | El u HEADER | PAYLOAD ll ool HEADER | : PAYLOAD I; H Copyright ©© by Copyright by EC EC cll.L All Rights Reserved, Reproductionis Strictly Prohibited Attack Signature Analysis Techniques Attack signature analysis techniques are classified into four different categories as follows. = Content-based signature analysis: Content-based signatures are detected by analyzing the data in the payload and matching a text string to a specific set of characters. If undetected, these signatures can open backdoors in a system, providing administrative controls to an outsider. = (Context-based signature analysis: Packets are usually altered using the header information. Suspicious signatures in the header can include malicious data that can affect the following: o Source and destination IP addresses o Source and destination port numbers o |P options o |P protocols o |P, TCP, and UDP checksums |IP, o IP fragmentation flags, offset, or identification = Atomic-signature-based analysis: To detect an atomic signature, security professionals need to analyze a single packet to determine whether the signature includes malicious patterns. Security professionals do not require any knowledge of past or future activities to detect these signature patterns. = Composite-signature-based analysis: In contrast to atomic signatures, security professionals need to analyze a series of packets over a long period of time to detect Module 17 Page 2037 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring composite attack signatures. Detecting these attack patterns is exceedingly difficult. ICMP flooding is an example of an attack performed using composite signatures. In this attack, multiple ICMP packets are sent to a single host so that the server remains busy responding to the requests. Attacker signatures may be located in either the header or payload of the packet. Module 17 Page 2038 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser